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1 TERMINOLOGY 


The following terminology is used throughout this document: 

Certification - legal recognition by the certification authority that a software product complies with the 
requirements 1 

Mission critical: Mission critical means the loss of capability leading to possible reduction in mission 
effectiveness 2 Examples of mission critical software can be found in unmanned space missions like Deep 
Space One and others. Also called Class B software at NASA. 

Safety is a property of a system/software meaning that the system/software will not endanger human life 
or the environment. 

Safety-critical means failure or design error could cause a risk to human life. 2 Examples of safety-critical 
software can be found in nuclear reactors, automobiles, chemical plants, aircraft, spacecraft, et al. Also 
called Class A software at NASA. 
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2 INTRODUCTION 

As of June 30, 2003, all Unmanned Aerial Vehicles (UAV), no matter how small, must adhere to the same 
FAA regulations as human-piloted aircraft. These regulations include certification for flying in controlled 
airspace and certification of flight software based on RTCA DO-178B. This paper provides an overview 
of the steps necessary to obtain certification, as well as a discussion about the challenges UAV’s face 
when trying to meet these requirements. It is divided into two parts: 

• Certifications for Flying in Controlled Airspace 

• Certification of Flight Software per RTCA DO-178B 


3 CERTIFICATIONS FOR FLYING IN CONTROLLED AIRSPACE 

It seems reasonable to assume that the FAA could certify a UAV for flight if the autonomous vehicle could 
meet or exceed the certification requirements for human pilots and the aircraft they fly. What are these 
requirements and what challenges do UAV’s face when attempting to comply? The Federal Aviation 
Regulations/Aeronautical Information Manual (FAR/AIM) explains requirements for pilot and aircraft 
certification as well as rules pertaining to airspace. 

The following section describes pilot and aircraft certification criteria as a foundation for understanding 
airspace designations and rules for aircraft operations. Then, subsequent sections explain airspace and 
aircraft operations and discuss the challenges faced by UAV’s in meeting these requirements. 

3.1 Pilot Training 

According to the FAR 61.3: A person may not act as pilot in command or in any other capacity as a 
required pilot, flight crewmember of a civil aircraft of U.S. registry unless that person has a valid pilot 
certificate readily accessible in the aircraft during flight 3 

There are currently no rules regarding a “non-human” pilot like an autonomous flight controller. However, 
careful investigation of human pilot requirements may lead to ideas about how to certify an autonomous 
flight controller. 

The FAR describes two methods for becoming a pilot, commonly referred to as FAR 61 and FAR 141 . 
FAR 61 contains the criteria for obtaining pilot, flight instructor and ground instructor certificates and 
ratings obtained under the tutelage of an independent certified flight instructor (CFI). FAR 141 contains 
the requirements for a pilot school certificate and criteria for obtaining pilot, flight instructor and ground 
instructor certificates and ratings from a flight school. 

In general the required flight time tends to be lower for FAR 141 ; however, it may be unlikely that an 
autonomous rotorcraft would qualify to attend a FAR 141 flight school. The following section provides an 
overview of FAR 61 and FAR 141 requirements for the five types of pilot certificates plus the instrument 
rating: 


• Student Pilot 

• Recreational Pilot 

• Private Pilot 

• Instrument Rating 

• Commercial Pilot 

• Airline Transport Pilot 
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3.1.1 Student Pilot 

Under FAR 61, a student pilot must have a Third Class Medical Certificate before soloing. A student pilot 
may not act as pilot in command of an aircraft carrying a passenger or for hire to carry property (parcels, 
etc), in furtherance of business or with visibility less than 3 statute miles during the day or 5 statute miles 
at night. 


3.1.2 Recreational Pilot 

Under FAR 61 , a recreational pilot must be at least 17 years old with a Third Class Medical Certificate 
and successful completion of the training described in Table 1 . A recreational pilot may carry no more 
than one passenger and not pay less than pro rata share of operating expenses of a flight (fuel, oil, airport 
expenses or aircraft rental fees) with a passenger. A recreational pilot may only act as pilot in command 
within 50 nautical miles from the departure airport. 


Table 1: Recreational Pilot Training Requirements Overview 


Training 

FAR 61 

FAR 141 

Ground school 

Home study or flight school 


Total Flight time 

15 hours dual instruction 

Requires a student pilot 
certificate and 30 hours of flight 
training of which 15 hours must 
be dual instruction 

Takeoffs and Landings 

3 at an airport 

3 at an airport 

Cross Country 

2 hours flight training en route to 

2 hours flight training en route to 


an airport located more than 25 

an airport located more than 25 


nautical miles from applicant’s 

nautical miles from applicant’s 


home airport 

home airport 

Flight training within 60 days 
preceding test date 

3 hours 

3 hours 

Solo time 

3 hours 

3 hours 


3.1.3 Private Pilot 

Under FAR 61 , a private pilot must be at least 17 years old with a Third Class Medical Certificate and 
successful completion of the training described in Table 2. 

Private pilot certificate has no expiration date but periodic renewal of the medical certificate is required. A 
private pilot may not pay less than pro rata share of the operating expenses (fuel, oil, airport expenses or 
aircraft rental fees) of a flight with passengers and except for special exceptions, like an aircraft 
salesperson, may not profit from flying. 
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Table 2: Private Pilot Training Requirements Overview 


Training 

FAR 61 

FAR 141 

Ground school 

Home study or flight school 

35 hours 

Total Flight time 

40 hours with at least 20 hours 
dual instruction 

35 hours flight training with at least 
20 dual instruction 

Night Flight 

3 hours 

3 hours 

Takeoffs and Landings 

10 at an airport 

10 at an airport 

Cross Country 

3 hours of cross-country flight 
training including one cross- 
country flight of over 100 nautical 
miles total distance 

1 cross-country flight of more than 
100 nautical miles total distance in 
airplane and 50 nautical miles 
distance in helicopter 

Instrument Training 

3 hours of instrument training 
including straight and level flight, 
constant airspeed climbs and 
descents, turns to a heading, 
recovery from unusual flight 
attitudes, radio communication 
and use of navigation systems 
and radar services appropriate to 
instrument flight 

3 hours of instrument training 
including straight and level flight, 
constant airspeed climbs and 
descents, turns to a heading, 
recovery from unusual flight 
attitudes, radio communication and 
use of navigation systems and radar 
services appropriate to instrument 
flight 

Flight training within 60 
days preceding test 
date 

3 hours 

3 hours 

Solo time 

10 hours solo flight time including 
5 hours of solo cross-country and 
one solo cross-country flight of at 
least 150 nautical miles total 
distance stopping at three 
separate locations. One leg of 
the flight must be at least 50 
nautical miles between takeoff 
and landing locations 

5 hours solo flight training including 
one cross-country flight of at least 
100 nautical miles stopping at three 
separate locations. One leg of the 
flight must be at least 50 nautical 
miles between takeoff and landing 
locations 

Solo Takeoffs and 
Landings 

3 takeoffs and landings 
performed at airport with 
operating control tower 

3 takeoffs and landings at an airport 
with an operating control tower 


3.1.4 Instrument Rating 

Under FAR 61, a pilot who applies for an instrument rating must hold at least a private pilot certificate. An 
instrument rating allows the pilot to fly under limited visibility, Instrument Flight Rules (IFR) conditions. 


Table 2: Instrument Training Requirements Overview 


Training 

FAR 61 

FAR 141 

Ground school 

Ground school or home study 

35 hours for initial course and 15 
hours for subsequent courses 

Total Flight time 

90 hours 

30 hours for initial course and 20 
hours for each additional course 
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Training 

FAR 61 

FAR 141 

Takeoffs and Landings 

Instrument approach at each 
airport during cross country flight. 
3 kinds of approaches using 
navigation systems. 

Instrument approach at each airport 
during cross country flight. 3 kinds 
of approaches using navigation 
systems. 

Cross Country 

50 hours cross-country flight time 
as pilot-in-command for a 
distance of at least 250 nautical 
miles along airways or ATC- 
directed routing for airplane. 100 
nautical miles for helicopter. 

Cross-country flight time as pilot-in- 
command for a distance of at least 
250 nautical miles along airways or 
ATC-directed routing for airplane. 
100 nautical miles for helicopter. 

Instrument Training 

15 hours 


Simulation time 

Maximum of 30 hours 

Maximum of 50% of total flight 
training 


3.1.5 Commercial Pilot 

FAR 61, a commercial pilot must have a Second Class Medical Certificate, private pilot certificate, 
instrument rating (or be enrolled in instrument rating course) and must have completed the training and 
flight time described in Table 3. 


Table 3: Commercial Pilot Training Requirements Overview 


Training 

FAR 61 

FAR 141 

Total Flight Time 

250 hours for airplane: 1 00 hours in 
powered aircraft with 50 hours in 
airplanes and 100 hours of pilot-in- 
command flight time with at least 50 
cross-country hours 

For helicopter rating: pilot must have 
logged at least 150 hours of flight time 
with: 

- 100 hours in powered aircraft of 
which 50 must be in helicopters 

- 100 hours of pilot-in-command flight 
time including 35 hours in helicopters 
and 10 hours in cross-country flight in 
helicopters 


Training Time 

20 hours of training 

35 hours ground school 

120 hours flight training for airplane or 
115 hours for rotorcraft 

55 hours dual instruction from CFI 
including 5 hours instrument training, 
10 hours single-engine aircraft with 
retractable landing gear, cross-country 
flights of more than 100 nautical miles 
and 2 hour duration 

Solo Flight 

10 hours in either airplane or helicopter 
depending upon rating 

10 hours in airplane or helicopter 
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3.1.6 Airline Transport Pilot 

FAR 61, an airline transport pilot must have a First Class Medical Certificate, commercial pilot certificate, 
instrument rating or comparable military flight experience and must have completed the flight training in 
either Table 4 for airplane or Table 5 for helicopter. 


Table 4: Airline Transport Pilot Training Requirements Overview for Airplane 


Training 

FAR 61 - Airplane 

FAR 141 - Airplane 

Total Flight Time 

1500 hours of total time as a pilot 
that includes: 

- 500 hours of cross-country flight 
time 

- 100 hours of night flight time 

- 75 hours of instrument flight time 

- 250 hours of flight time in an 
airplane as pilot in command 

- Performed at least 20 takeoffs 
and landings 

Meet aeronautical experience 
requirements in Subpart G of Part 61 
of FAR 141 and complete 25 hours 
flight training with 15 hours 
instrument training 


Table 5: Airline Transport Pilot Training Requirements Overview for Helicopter 


Training 

FAR 61 - Helicopter 

FAR 141 - Helicopter 

Total Flight Time 

1200 hours that includes: 

- 500 hours of cross-country flight 
time 

- 100 hours of night flight time of 
which 15 must be in helicopters 

- 200 hours of flight time in 
helicopters 

- 75 hours of instrument flight time 

Meet aeronautical experience 
requirements in Subpart G of Part 61 
of FAR 141 and complete 25 hours 
flight training with 15 hours 
instrument training 


3.1.7 Other Training 

Additional training is required for operating complex or high-performance airplanes, pressurized aircraft 
capable of flying at high altitudes, tail-wheel airplanes or gliders. 

Under FAR 61 , no person may act as pilot in command unless they have performed at least three take 
offs and landings within the past 90 days. If the flight is at night, then at least three take offs and landings 
must have been performed at night in the past 90 days. 

Under FAR 61 , no person may act as pilot in command under IFR unless they have performed at least 6 
instrument approaches, holding procedures and intercepting and tracking courses through the use of 
navigation systems. 
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3.1.8 Ratings 

In addition to a pilot certificate, type ratings for different types of aircraft can be placed on the pilot 
certificate. For example, a pilot may have an instrument rating allowing him/her to fly under low visibility 
(IFR) weather conditions. Special authorizations can be issued in lieu of a type rating for up to 60 days if 
the Federal Aviation Administrator has: 

• Authorized the flight or a series of flights 

• Determined that equivalent level of safety can be achieved through the operating limitations on 
the authorization 


Special authorizations can also be issued when the flight is in the United States and is a ferry flight, 
training flight, test flight or practical test for a pilot certificate or rating where the only compensation is for 
aircraft rental to complete the test. 


3.1.9 Maneuvers 

Under FAR 61, student pilots must demonstrate satisfactory aeronautical knowledge including: 

• Applicable sections of Part 61 - Certification: Pilots and Flight Instructors and Part 91 - General 
Operating and Flight Rules 

• Airspace rules and procedures for the airport where the solo flight will be performed 

• Flight characteristics and operational limitations for the make and model of aircraft to be flown 

• Performed the following maneuvers for an airplane: 

o Proper flight preparation procedures including preflight planning, power plant operation 
and aircraft systems 

o Taxiing or surface operations including runups (revving engine to ensure proper working) 
o Takeoffs and landings (normal and crosswind) 
o Straight and level flight 

o Turns in both directions 
o Climbs and climbing turns 

o Airport traffic patterns including entry and departure procedures 
o Collision avoidance, wind shear avoidance and wake turbulence avoidance 
o Descents, with and without turns, using high and low drag configurations 
o Flight at various airspeed from cruise to slow flight 

o Stall entries from various flight attitudes and power combinations with recovery initiated at 
the first indication of a stall and recovery from a full stall 

o Emergency procedures and equipment malfunctions 

o Ground reference maneuvers 

o Approaches to a landing area with simulated engine malfunctions 
o Slips to a landing 
o Go-arounds 

Maneuvers for a helicopter include the maneuvers listed above and include the following: 

• Hovering and hovering turns 
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• Rapid decelerations 

• Simulated one-engine-inoperative approaches and landings for multi-engine helicopters 


3.1.10 Cross-Country Flight Requirements 

Under FAR 61, maneuvers required for solo cross country flight include: 

• Use of aeronautical charts for VFR navigation using pilotage and dead reckoning with the aid of a 
magnetic compass 

• Use of aircraft performance charts pertaining to cross-country flight 

• Procurement and analysis of aeronautical weather reports and forecasts including recognition of 
critical weather situations and estimating visibility while in flight 

• Emergency procedures 

• Traffic pattern procedures that include area departure and arrival, entry into traffic patterns and 
approach 

• Procedures and operating practices for collision avoidance, wake turbulence precautions and 
wind shear avoidance 

• Recognition avoidance and operational restrictions of hazardous terrain features in the 
geographical area where the cross-county flight will be flown 

• Procedures for operating the instruments and equipment installed in the aircraft to be flown 

• Use of radios for VFR navigation and two-way communication 

• Takeoff, approach and landing procedures including short-field, soft-field and crosswind takeoffs, 
approaches and landings 

• Climbs at best angle and best rate 

• Control and maneuvering solely by reference to flight instruments including straight and level 
flight, turns, descents, climbs use of radio aids and ATC directives 

3.1.11 Pilot Logbooks 

Training time and aeronautical experience must be logged in a manner acceptable to the Administrator. 
Logbook entries should contain the following: 

• Date 

• Total flight time or lesson time 

• Location where the aircraft departed and arrived, or for lessons in simulator, location where 
lesson occurred 

• Type and identification of aircraft, simulator as appropriate 

• Name of the safety pilot 

• Type of pilot experience 

o Solo 

o Pilot in command 
o Second in command 

o Flight and ground training received from authorized instructor 
o Training received in flight simulator from authorized instructor 
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• Conditions of flight 
o Day or night 
o Actual instrument 

o Simulated instrument conditions in flight or simulator 
Logging of pilot time may be used to apply for certificate or rating and satisfy recent flight experience. 


3.2 Aircraft Testing 

FAR 91.203 through 91.221 describes the Equipment, Instrument and Certificate requirements, and FAR 
91.401 through 91.421 explains aircraft maintenance requirements. The following sections provide an 
overview of aircraft testing requirements. 

3.2.1 Mandatory Aircraft Maintenance & Inspections — Forever 

All aircraft must undergo mandatory periodic maintenance and inspections every 50 hours, 100 hours, or 
annually depending upon how the aircraft is used. 

3.2.2 Annual Inspections — Forever 

Unlike an automobile that drives in and out of an inspection bay in as little as 5 minutes, an aircraft 
undergoes an annual inspection that can take days to complete. 

The aircraft is taken into a hangar and literally taken apart, so that every component can be inspected 
and tested. Worn components are replaced, tweaks and adjustments to settings are made, improvements 
or updates are applied, lubricating fluids are analyzed by a laboratory then replaced with new ones, and 
complete records are entered into the aircraft’s logbooks. Only when everything is perfect, is the aircraft 
recertified for return to flight by an FAA-designated inspector. 

3.2.3 Mandatory Testing & Certification of Parts & Consumables — Forever 

All materials and consumables used to make, repair, and operate aircraft are tested and certified by the 
FAA. Nothing, and that means absolutely nothing, can be used to make, repair, or operate an aircraft that 
is not specifically approved for use with that individual aircraft without the explicit written approval of the 
FAA. 

3.3 Flight Plans 5 

Flight Plans can be filed for VFR, IFR and DVFR (Defense Visual Flight Rules) flights. Except for 
operations in or penetrating a Coastal or Domestic ADIZ (Air Defense Identification Zone) or DEWIZ 
(Distant Early Warning Identification Zone) a flight plan is not required for VFR flights. But filing a VFR 
flight plan is strongly recommended to ensure receipt of VFR Search and Rescue Protection. 

Flights into ADIZ or DEWIZ require a flight plan for security purposes. IFR flights require a flight plan for 
safety purposes. A flight plan includes the following information: 

• Type of flight plan (VFR, IFR or DVFR) 

• Complete aircraft identification including “N” if applicable 

• Designator for the aircraft 

• True airspeed (TAS) 

• Departure airport identifier code (i.e. SJC for San Jose International airport) or airport name 

• Proposed departure time in Coordinated Universal Time (UTC)(Z) 
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• Appropriate VFR altitude to assist briefer in providing weather and wind information 

• Route of flight using NAVAID identifier codes and airways 

• Destination airport identifier code or airport name 

• Estimated time en route in hours and minutes 

• Any pertinent remarks 

• Fuel on board in hours and minutes 

• Alternate airport if desired 

• Complete name, address and telephone number 

• Total number of persons onboard (POB) including crew 

• Predominant colors of aircraft for search and rescue 

• Flight Service Station (FSS) for closing the flight plan 

• Destination phone number to assist with search and rescue 

3.4 Airspace Classifications 4 

All the open sky covering the United States - from less than an inch off of the ground to the edge of outer 
space — is part of America’s airspace! 

This airspace is divided into several standardized types, ranging from Class A through Class G - with A 
being the most restrictive and G the least restrictive. Each type of airspace has its own required level of 
Air Traffic Control services, and its own minimum requirements for pilot qualifications, aircraft equipment, 
and weather conditions. In addition to Classes A through G, other airspace is reserved for special 
purposes called Special Use Airspace (SUA). 

Within the United States, airspace is either controlled or uncontrolled. Controlled airspace will have 
specific defined dimensions (e.g. altitude ranges or vertical boundaries, and an applicable surface area or 
horizontal boundaries). Within controlled airspace, Air Traffic Control (ATC) services are provided to all 
aircraft operating under Instrument Flight Rules (IFR), and to some aircraft operating under Visual Flight 
Rules (VFR). 



Control Zones sreJLoMted Around Many Airports 




Figure 1: Control Zones 
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An airport with an operating control tower will almost always be surrounded by either Class B, C, or D 
airspace. Many people often refer to this airspace as a Control Zone. Though no longer an official FAA 
term, the interactive, color-coded, airspace map located at 

http://www.qaservinqamerica.org/how work/work airspace.htm## 

shows all of the Control Zones surrounding America’s Class B (shown in blue) and C (shown in 
magenta) airports. 



Figure 2: Sample Airspace Map 


3.4.1 Class A Airspace 

Class A airspace covers the entire U.S., and lies between 18,000 and 60,000 feet above mean sea level 
(MSL). All of the Jetways (Jet Routes) are in Class A airspace and it is primarily used by jets and airliners 
traveling over long distances between major cities. All flights in Class A airspace are conducted under 
Instrument Flight Rules (IFR); therefore pilots must hold an instrument rating and fly according to an 
active IFR flight plan. Pilots must obtain a clearance from ATC before entering Class A airspace, and 
maintain radio contact with ATC during flight. Aircraft must be equipped with an altitude-encoding 
transponder to provide aircraft location and altitude data to ATC radar equipment. A transponder is the 
radar beacon receiver/transmitter portion of the Air Traffic Control Radar Beacon System (ATCRBS) 
which automatically receives radio signals from the interrogations on the ground and selectively replies 
with a specific reply pulse or pulse group only to those interrogations being received on the mode to 
which it is set to respond. 
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3.4.2 Class B Airspace 

Class B airspace surrounds the nation’s busiest airports and 
airport hubs in cities like Boston, Chicago, Los Angeles, et 
al. Class B airspace is designed to help manage the traffic 
as aircraft takes off and lands at the airport. Therefore, it is 
shaped like a funnel to help aircraft in and out of the main 
airport. 

Most Class B airspace extends from the surface to 10,000 
feet MSL with a circular diameter of 40 nautical miles. Pilots 
must obtain a clearance from ATC before entering Class B 
airspace and maintain radio contact with ATC. Aircraft must 
be equipped with an altitude-encoding transponder. 



Pilots must hold at least a private pilot certificate. If certain advanced training requirements are met, a 
Recreational or Student pilot certificate may be adequate although many Class B airports prohibit any 
student pilot solo flights. An instrument rating is not required; pilots may operate under Visual Flight 
Rules (VFR) in Class B airspace as long as they remain clear of clouds and have at least three miles of 
in-flight visibility. 


3.4.3 Class C Airspace 

Class C airspace surrounds busy airports not classified as 
Class B that have radar services for arriving and departing 
aircraft. Typical airports with Class C airspace would be 
Providence, Nashville, or Sacramento. 

Most Class C airspace extends from the surface to 4,000 feet 
above ground level (AGL), with a circular diameter of 20 
nautical miles. 


An ATC clearance is not required in Class C airspace, but pilots must be in radio communication with 
ATC, and aircraft must be equipped with an altitude-encoding transponder. There are no additional pilot 
qualifications for operating in Class C, D, E, or G airspace 



3.4.4 Class D Airspace 

Class D airspace surrounds airports with operating control towers 
and weather reporting service that are not superseded by more 
restrictive Class B or C airspace. 

Most Class D airspace extends from the surface to 2,500 feet above 
ground level (AGL), with a circular diameter of 4.3 nautical miles (5 
statute miles). 

Aircraft must establish and maintain two-way radio contact with the 
control tower before entering or operating in Class D. Weather 
minimums are the same as for Class C airspace. 
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3.4.5 Class E Airspace 

Class E airspace includes all other controlled airspace in the U.S. The upper limit of Class E airspace is 
18,000 MSL. However, the lower limit (where it starts) can be 14,500’ MSL, or 10,000’ MSL, or 1 ,200’ 
AGL, or 700’ AGL, or all the way to the surface of the earth. 

Most non-airport or non-airway Class E airspace located east of the Rocky Mountains starts at 1,200’ 
AGL, dropping lower over some airports. Most of the Class E west of the Rocky Mountains starts at 
10,000’ or 14,500’ MSL. The Class E airspace above 10,000’ MSL has greater visibility and cloud 
clearance minimums for VFR operations. 

Class E airspace also surrounds airports that have weather reporting services in support of IFR 
operations, but no operating control tower. Weather minimums for these areas of Class E airspace are 
the same as for Class C and D airspace. 

All airways that are not part of a higher grade of airspace are Class E airspace. 


3.4.6 Class F Airspace 

Class F airspace is not used in the United States. 


3.4.7 Class G Airspace 

Class G is uncontrolled airspace, so it includes all airspace in the U.S. that is not classified as Class A, B, 
C, D, or E. No ATC services are provided, and the only requirement for flight is certain visibility and cloud 
clearance minimums. Most of the airspace up to 1 ,200 feet AGL (Above Ground Level) is Class G 
airspace. There is virtually no Class G airspace above 1 ,200 feet AGL east of the Rocky Mountains. 


3.4.8 Special Use Airspace (SUA) 

Special use airspace (SUA) includes prohibited areas, restricted areas, warning areas, military operations 
areas (MOAs), alert areas, and controlled firing areas. 



Figure 3: Special Use Airspace 

In these areas, aeronautical activity must be limited, usually due to military use or national security 
concerns. You can see SUA on the interactive map located at: 
http://www.gaservingamerica.Org/how_work/work_airspace.htm## 
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3.4.9 Other Airspace Areas 

Other airspace areas include Airport Advisory Areas, Military Training Routes, and areas where 
Temporary Flight Restrictions (TFRs) or limitations/prohibitions apply. For example, TFRs are often 
established over large forest fires to help keep aircraft from straying into hazardous conditions. 


3.5 Aircraft Operations 5 

Aircraft must be operated in accordance with FAR 91 , General Operating and Flight Rules. The 
autonomous rotorcraft must be able to follow the right-of-way rules in FAR 91 .1 13, Right-of-Way Rules: 
Except Water Operations and 91 .1 15 Right-of-Way Rules: Water Operations. Generally, slower, less 
agile aircraft are given right of way by faster, easier to maneuver vehicles. For example, a hot-air balloon 
has the right-of-way over any other category of aircraft. When two aircraft are approaching head-on, 
each pilot must alter course to the right. Aircraft in final approach while landing has right-of-way over 
aircraft in flight or taxiing. 

Other salient information from of FAR 91 is listed by section number below: 

• FAR 91 .1 17 states that no aircraft may fly more than 250 knots (288 mph) below 10,000 feet MSL 
(Mean Sea Level) 

FAR 91 .1 19 says that except when taking off and landing, no aircraft may fly over congested 
areas below 1000 feet above the highest obstacle within 2000 feet of the aircraft 

FAR 91 .121 contains tables with lowest usable flight level and adjustment factors for altimeter 
settings 

FAR 91 .123 describes compliance with Air Traffic Control (ATC) instructions 

FAR 91.126 through FAR 91.135 discusses operating in each class of airspace beginning with 
Class G and ending with Class A 

FAR 91.137 and 91.138 discuss Temporary Flight Restrictions (TFRs) on the mainland and in 
Hawaii 

FAR 91.138 provides guidance regarding Emergency Air Traffic Rules 

FAR 91.141 states that no person may fly in the vicinity of an area to be visited by the President 
or Vice President or other public figures 

FAR 91 .143 says that no person may fly in the proximity of space flight operations (shuttle take 
off and landing, etc.) 

FAR 91.151 through 91.159 describe the Visual Flight Rules 
FAR 91.167 through 91.193 describe the Instrument Flight Rules 
FAR 91 .303 explains rules for aerobatic flight 
FAR 91.307 discusses parachutes and parachuting 
FAR 91.309 describes towing operations (e.g. towing of gliders) 

FAR 91 .313 discusses operation of restricted civil aircraft 
FAR 133 describes Rotorcraft External-load operations 

3.6 Aircraft Operations during Wildfires 6 

According to the Bureau of Land Management, aircraft play these important roles in fighting wildfires: 
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• Fire detection - includes aerial observation to find fires at the smallest size possible. For 
example, in the forests of East Texas, pilots fly small aircraft such as the Cessna 172 over the 
forest to detect wildfires or accidental fires started by campers, etc. 

Fire detection also includes determining the perimeter of a fire while it rages. A pilot with fire 
detection skills or a pilot and a fire expert fly over the fire and attempt to locate the edge. This is 
sometimes difficult because it is hard to see through smoke. 

• Fire Assessment - also called Fire Intelligence. Aircraft is used to observe the fire and the 
ground forces fighting it. A visual of the fire provides decision makers important information 
necessary to develop strategies for extinction. Also, from time to time prescribed fires are set in 
the woods for resource benefits. These fires must be carefully managed and herded to 
accomplish the goal of the fire. 

• Fire fighting - dropping water or retardant agents from helicopters or aircraft to put out the fire. 

For example, during the Malibu fires, helicopters scooped water from the ocean and drop it on the 
fire. 

Pilots participating in fire fighting activities must have at least a private pilot’s license. During a wildfire, 
the FAA issues temporary flight restrictions over the area and air traffic for fighting the fire is managed by 
assigning altitude ranges for each type of activity (from taxing ground forces to observation). 

Flying during a fire is especially risky because pilots must fly low and slow over hot, generally 
mountainous terrain. Therefore, opportunities exist for unmanned fire fighting aerial vehicles to reduce 
this risk. Challenges for fire fighting UAV’s are discussed in the next section. 

3.7 Challenges for Flight Certification of UAV 

Many facets must be considered when contemplating the challenges of flight certification of UAV’s. First, 
there are several types of UAV’s from pint-size helicopters to high-altitude, long-endurance (HALE) 
vehicles. They can be divided into the following classes 7 : 

• Micro UAV’s - drones weighing about 5 pounds and measuring 9 inches in diameter designed to 
fit inside a soldier’s backpack and conduct surveillance over short distances. Examples include 
iStar, HeliSpy and Wasp. 

• Mini UAV’s - vehicles up to 6 feet long and weighing up to 90 pounds that were first used in the 
1991 Gulf War for short-range reconnaissance to detect nearby threats in the field. Examples 
include Pointer, Dragon Eye and ScanEagle. 

Tactical UAV’s - larger than minis and perform similar tactical intelligence-gathering and target- 
acquisition missions with greater carrying capacity and endurance. Examples include Shadow 200, 
Pioneer, Dragon Warrior, GoldenEye, Hummingbird, Fire Scout, Eagle Eye and Dragonfly. 

• HALE UAV’s - High-altitude, long-endurance typically the size of business jets or 737s which 
survey large geographic areas and provide near real-time, high-resolution reconnaissance 
imagery. Examples include Ultra-LEAP, Predator B, Global Hawk and Proteus. 

For purposes of this discussion, two types of UAV have been considered: the Mini UAV and HALE: 

• Mini UAV - The Yamaha helicopters used for the Autonomous Rotorcraft Project (ARP) fit into the 
Mini UAV category. They were designed to accomplish reconnaissance and surveillance and can 
fly for about one hour with a 65 lb payload. The ARP rotorcrafts have already received special 
Airworthiness Releases to fly at Moffett Airfield and other authorized airfields for purposes of 
research, but so far flight has been under human control. The autonomous flight control system 
is scheduled for flight in the near term. Details of the airworthiness release are described below. 

• HALE vehicles cruise at altitudes between 45,000 and 60,000 feet and can stay aloft for 24 hours 
at a time. They are controlled remotely by pilots on the ground thanks to satellite links that 
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convey images and commands in real time. HALE vehicles were used in the Afghanistan conflict 
and in the war against Iraq. 

If these UAV’s were to seek pilot certification, what type of pilot rating would be appropriate for the mini 
UAV and HALE? A definitive answer must take into account where and when the UAV would fly. 
Historically, new aircraft have flown in less populated areas until they establish a track record for safety. 
Therefore, the recreational pilot option might be sufficient since recreational pilots are limited in where 
they can fly. However, reconnaissance and surveillance seems to require the ability to cover more 
ground than 25 nautical miles from the UAV’s home airport. HALE UAV’s may be too large to take off at 
a small airport and may require a Class B or C airport. 

The private pilot certification includes all the basic maneuvers necessary for safe, effective flight during 
VFR and an instrument rating would make it possible to fly with limited visibility. This may be a good 
option for the Mini UAV since they are a single engine aircraft similar to general aviation aircraft. 

The multi-engine commercial pilot certificate requires a demonstration of the ability to handle multiple 
engines, which applies to HALE vehicles but not to ARP. The ATP certificate adds flight experience to 
ensure handling of various flight conditions in order to safely ferry passengers. While flight experience is 
always good, UAV’s are not currently being considered as passenger vehicles. 

Suppose the UAV takes the traditional route to pilot certification beginning with the private pilot licensure, 
what challenges would it encounter during flight training? First, minor challenges occur in obtaining a 
medical clearance and proper flight preparation including flight plans and preflight checks. These 
challenges are easily overcome by having a human meet the requirements and perform these tasks 
similar to the way HALE vehicles operate now. 

Next, the UAV must perform flight maneuvers described in section 3.1 .8. Since the rotorcraft is a 
helicopter, taxiing and surface operations can be handled by a human pilot who positions the rotorcraft for 
takeoff. Currently, the autonomous rotorcraft takes off and lands under human control, but research to- 
date indicates that autonomous take-off and landing are feasible. Additional types of sensors, like sonar 
altitude sensors, may be needed to augment the GPS system in order to find the ground for a soft 
landing. Autonomous takeoff and hovering at the proper altitude may also present challenges. HALE 
vehicles require runway clearance for takeoff, and assurance that other aircraft will not traverse their 
ascent to high altitude. According to the Air Force, there have been occasions when the FAA has cleared 
a flight path of civilian aircraft for an autonomous UAV, but that is not the norm. 8 This suggests a growing 
need for a strategy to accommodate autonomous aircraft while still maintaining a high degree of safety 
surrounding flight. 

During normal flight, the innovative, ARP flight control system (FCS) contains advanced control laws 
(CLAW) making it possible for autonomous flight including: straight and level flight, turns in both 
directions, climbing and climbing turns, hovering and hovering turns, descents with and without turns, 
flight at various airspeeds and recovery from stalls. The ARP FCS can also handle approaches to the 
landing area with simulated engine malfunction. HALE vehicles would need a similarly robust 
autonomous FCS to accomplish these maneuvers. 

“Detect, See and Avoid” Challenges 

Bigger challenges occur when considering operations requiring interface with other pilots or the control 
tower such as safe entry into the airport traffic pattern and/or collision avoidance. These are commonly 
called “detect, see and avoid” maneuvers. Possible solutions to these challenges include: 

• Required use of Type S Transponders on all aircraft making it possible for aircraft to identify 
others’ location. The UAV could read Type S Transponders emissions and steer clear. 

• Text messaging services are generally used when flying over large bodies of water where the 
distance makes voice communications less reliable. The UAV computers could read and parse 
the text message into commands that autonomous systems can understand. 
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• Onboard radio for relay to ground teams making it possible for a human pilot to monitor UAV flight 
and remotely perform “detect, see and avoid” maneuvers. Depending upon the complexity of the 
operation, a human pilot may be able to monitor multiple UAV’s. 

Because HALE UAV’s fly at altitudes above commercial aircraft, they mainly face challenges when re- 
entering controlled airspace generally during takeoff and landing or during an emergency malfunction. 

Finally, the UAV must log flight activity in a flight log. This could be a combination of computer-generated 
messages about the flight and notes from the human pilot in charge of this flight. 

Distance Challenges 

Some of the distance requirements for standard pilot classifications present challenges. In order for the 
ground station to maintain radio contact for a 25-mile cross-country flight, the height of the ground 
antennas would have to be increased significantly. It is possible that increased height could get to the 
point that it would create a flight obstruction just to maintain communication. 

Perhaps a new, interim category could be developed that is tuned to operation within ~10 mile range of 
an (arbitrary) fixed point. Once the autonomous aircraft has been proven reliable and has an established 
safety history then it could fly longer distances. 

Fire Fighting Challenges 

In addition to the challenges described above, fire fighting UAV’s must be equipped with lightweight 
cameras and infrared cameras that can provide clear pictures of the fire to ground control in a timely 
fashion. Cost is also a factor. 

Aircraft Maintenance Challenges 

In some cases, UAV’s have been considered expendable and have not been maintained with the same 
rigor as human-powered aircraft. In order to fly in controlled airspace, aircraft must be rigorously 
maintained in accordance with FAR 91 for the safety of inhabitants living under the flight path. 

Airworthiness Release 

In order to fly out of Moffett Field, an airworthiness release was required from the Army and a permit from 
NASA Ames Research Center. The airworthiness release from the Army 9 contains the following 
information: 

• References to Airworthiness Authority documentation from NASA Ames Research Center, 
Yamaha RMAX helicopter operation manual, controls documentation, yearly inspection criteria, 
pre-flight checklists, etc. 

• Purpose of flight 

• Configuration of fight including the helicopter and remote control transmitter 

• Specific operation restrictions including outlawed maneuvers and operation requirements 

• Special inspections and instructions 

• Aircraft logbook entries 

• Term of airworthiness release 

The NASA permit 10 includes the following: 

• Section 1 Permit Information: 

o Results of flight readiness review before the flight 
o Responsible parties 
o Description and Purpose of Project 
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o Permitted operations 

o Special requirements including special equipment required or any hazardous operations 
or chemicals involved 

o Aircraft support services such as fuel, oil, oxygen, etc required 
o List of vehicles, personnel and frequency transmitters employed 
o Proof of insurance 

• Section 2: Rotorcraft Remote Control Aircraft Operation Conditions 

o Authorized weather conditions (for example: weather at 500 feet AGL and 1 mile 
visibility) 

o Weekly Flight Schedule 

o Restrictions including only authorized personnel, aircraft movement and parking 
o Identification of safety observer 

o Location of flight (example: north end of the West parallel) 

o Rotorcraft RC personnel are responsible for knowing and complying with all applicable 
elements of the Airfield Operating Manual and must observe driving rules and speed 
limits in same 

o Only authorized, qualified pilots may conduct flights. (RC pilot qualifications are to be 
determined) 

o Emergency reporting 

o Notice that rotorcraft shall operate as if it is a full-sized aircraft using Moffett Field Class D 
airspace. Standard pilot to ATC radio procedures will be used including specific radio 
clearances required from ATC Control Tower 

o Autonomous and semi-autonomous rotorcraft operations were specifically not approved 
but instructions were provided for seeking approval of same 

• Attachment 1 

o Picture and description of Yamaha RMAX helicopter 
o Description of Autonomous Rotorcraft Project 
o Flight Readiness Review presentation 


NASA has also published a comprehensive flight research operating procedures manual titled: AFDD 
Memorandum 95-1 Flight Research Standard Operating Procedures to spell out aviation management, 
operations and safety, training and standardization, flight procedures, maintenance and aircraft 
modification guidelines. 
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4 CERTIFICATION OF FLIGHT SOFTWARE PER RTCA DO-1 78B 

The previous section discussed the flight capabilities of the UAV as a whole. This section focuses on 
certification of UAV flight software. How does the FAA know when flight software works properly and is 
safe to fly? In the United States, software must undergo a certification process described in the 
Requirements and Technical Concepts for Aviation (RTCA) DO-178B which is enforced by the Federal 
Aviation Administration (FAA). During the certification process, the FAA regulatory authorities will be 
looking for evidence that all potential hazards have been identified and that appropriate steps have been 
taken to mitigate them. The UK and Europe have similar certification processes. Again, it seems likely 
that if UAV flight software can meet or exceed current FAA certification requirements it could be certified 
for flight. 

In order to meet regulatory guidelines, developers must build a safety case as a means of documenting 
the safety justification of a system. The safety case is a record of all safety activities associated with a 
system throughout its life. Items contained in a safety case include the following: 

• Description of the system/software 

• Evidence of competence of personnel involved in development of safety critical software and any 
safety activity 

• Specification of safety requirements 

• Results of hazard and risk analysis 

• Details of risk reduction techniques employed 

• Results of design analysis showing that the system design meets all required safety targets 

• Verification and validation strategy 

• Results of all verification and validation activities 

• Records of safety reviews 

• Records of any incidents which occur throughout the life of the system 

• Records of all changes to the system and justification of its continued safety 


4.1 RTCA DO-1 78B 1 

RTCA DO-178B, “Software Considerations in Airborne Systems and Equipment Certification” contains 
guidance for determining that software aspects of airborne systems and equipment comply with 
airworthiness certification requirements. 

Written in 1980 by the Radio Technical Commission for Aeronautics (now RTCA, an association of 
aeronautical organizations of the United States from both government and industry), it was revised in 
1985 and again in 1992. During the 1992 revision, it was compared with international standards: ISO 
9000-3 (1991 ), “Guidelines for the Application of ISO 9001 to the Development, Supply and Maintenance 
of Software” and I EC 65A (Secretariat) 122 (Draft - 11-1991), “Software for Computers in the Application 
of Industrial Safety-Related Systems” and it is considered to generally satisfy the intent of those 
international standards. 

RTCA also published the following documents to clarify DO-178B: 

• DO-248B - explains best practices in applying DO-178B 

• DO-278 - provides an extension to standards for ground-based facilities. 

In addition to DO-178B, the FAA also considers the documents shown in the following diagram: 
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Flow of FAA Regulations 

Software Relationship 



•81 10.95, Field Loadable Software 

•8110.89, Legacy Software Systems 

•81 10.90, Software Review 

•81 10.92, Level D Criteria for Legacy Software 

•8110.91, Tool Qualification 

•81 10.94, User Modifiable Software 

•8110.86, Software Conformity 

•81 10.85, Change Impact Analysis for Major/Minor Changes 


Figure 4: Flow of FAA Regulations 

The following flow shows the FAA approval process. 


FAA Approval Process 


Idea For New Avionics 
Product Is Born 


Certification Plan Is Prepared And 
Submitted To The ACO For Review 
And Approval. Plan Will Address The 
System Safety Assessment And The 
Software Aspects Of Certification. 


Testing Plans and System Safety 
Assessment Prepared and Submitted 
to the ACO for Review and Approval - 


Flight Test Plan and Balance of Design 
approval Documents Submitted to ACO' 
for Review and Approval 


Product Is Evaluated For 
Marketability And Certifiability 


Company Makes Decision To 
Proceed With Development 


Preliminary Design 
Completed 


Detailed Design Completed 


System Testing Completed 


Installation in Aircraft and 
Certification Testing 
Completed 


FAA ACO Issues Certificate 
And System Is Ready For 
Operational Approval 


FAA engineering personnel 
are sometimes consulted at 
this step 


This is the appropriate time to 
initiate certification project 


Close consultation with FAA 
engineering personnel is essential 
throughout design process to avoid 
new requirements late in process 


FAA witnesses many of the systems 
tests for certification 


FAA witnesses all of the flight and 
ground tests conducted on an aircraft 
for certification 


Figure 5: FAA Approval Process 
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4.2 DO-178B Software Level Definitions 

Software can be divided into two broad categories based on the risk associated with software failure or 
defective software design: 

1 . Mission critical meaning a loss of capability leading to possible reduction in mission 
effectiveness 2 

2. Safety critical meaning a failure or defective design could cause a risk to human life 2 

DO-178B classifies software in more detail according to five levels described below; however, the overall 
idea is the same - more rigorous certification processes and methods are required for safety-critical 
software. 

• Level A - software whose anomalous behavior would cause or contribute to a catastrophic failure 
that would prevent safe flight and landing 

• Level B - software whose anomalous behavior would cause or contribute to a hazardous/severe- 
major failure condition. Hazardous/Severe-Major is defined as failure conditions that reduce the 
capability of the aircraft or crew to cope with adverse operating conditions to the extent that safety 
is jeopardized, the physical demands on the crew are excessive to the point of being impossible 
and serious or fatal injuries may occur. 

• Level C - software whose anomalous behavior would cause or contribute to a major failure with 
significant reduction in safety, increase in crew workload or conditions impairing crew efficiency or 
discomfort or injury to occupants 

• Level D - software whose anomalous behavior would cause or contribute to a minor failure that 
would not significantly reduce aircraft safety and where crew actions would not be impaired but 
the crew might be inconvenienced 

• Level E - software whose anomalous behavior would have no effect on operational capability of 
the aircraft and would not increase crew workload 1 

4.3 DO-178B Safety-Critical Certification Requirements 

DO-178B contains specific guidance for certification of safety-critical software to assure the safety of 
everyone involved in flight. In order to comply, suppliers in the aerospace industry must understand that 
DO-178B does not certify software as a unique, stand-alone product. Software is considered a part of the 
airborne system or equipment installed on the aircraft or engine. 

4.3.1 Safety-Critical Certification Process 

The certification process includes the following steps where the applicant is a supplier of aerospace 
software and the certification authority is the organization or person responsible within the state or 
country concerned with the certification: 

• Applicant meets with the certification authority to establish the certification basis or criteria for the 
aircraft or engine 

• Applicant develops a Plan for Software Aspects of Certification (PSAC) to meet the certification 
basis. The PSAC includes: 

o System overview explaining the: 

■ System functions and their allocation to the hardware and software 

■ Architecture 

■ Processor(s) 

■ Hardware and software interfaces 

■ Safety features 
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o Software overview describing the software functions with emphasis on the proposed 
safety and partition concepts like resource sharing, redundancy, multiple-version 
dissimilar software, fault tolerance and timing/scheduling strategies 

o Certification considerations including: 

■ Means of compliance 

■ Software level (A-E) 

■ Summary of the justification provided by the system safety assessment process 
including potential software contributions to failure conditions 

o Software Life Cycle section containing a description of the software with reference to 
respective detailed software plans and a summary explaining how the objectives of each 
software life cycle process will be satisfied and which organization is responsible. The 
minimum software life cycle data that may be submitted to the Certification Authority is 
the: 


■ PSAC 

■ Software Configuration Index (SCI) - described in Appendix C 

■ Software Accomplishment Summary (SAS) - described in Appendix D 

■ Software Verification Cases and Procedures 

However, according to Boeing Wichita Development and Modification Center (WDMC), a 
FAA-Designated Alteration Station, the minimum is rarely enough. A successful 
presentation to the FAA should include the following artifacts. The items highlighted in 
bold type are specific to DO-178B. Other documents are standard life cycle material; 
however, the FAA requires that these artifacts be updated regularly so they contain the 
most recent information rather than having modifications appended at the end of the 
document. 

1 . Plan for Software Aspects of Certification (PSAC) 

2. Software Development Plan (SDP) 

3. Software Verification Plan (SVP) 

4. Software Configuration Management Plan (SCMP) 

5. Software Quality Assurance Plan (SQAP) 

6. Software Requirements Standards (SRS) 

7. Software Design Standards (SDS) 

8. Software Code Standards 

9. Software Requirements Data 

10. Design Description (SDD) 

1 1 . Source Code 

12. Executable Object Code 

13. Software Verification Cases and Procedures 

14. Software Verification Results 

15. Software Life Cycle Environment Configuration Index 

16. Software Configuration Index (SCI) 

1 7. Problem Reports 

18. Software Configuration Management Records 

19. Software Quality Assurance Records 

20. Software Accomplishment Summary (SAS) 

In order to obtain certification by the FAA, the applicant must prove that objectives have 
been met. For Level A there are 66 objectives, for Level B there are 65 objectives and 
for Level C there are 62 objectives. 
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o Software Life Cycle Data section including a description of any data to be produced and 
controlled by the software along with how the data relate to each other. It should also 
include information about how the data will be submitted to the certification authority 
(diskette, CD...) and the form of the data (i.e. text file, binary file...). 

o Schedule 

o Additional considerations like tool qualification, previously developed software, COTS 
software, et al. 

• Certification authority assesses the PSAC for completeness and consistency by comparing it to 
the certification basis 

• Certification authority satisfies itself that proposed software level is appropriate 

• Certification authority apprises applicant of any issues that must be satisfied prior to certification 

• Certification authority determines whether the aircraft or engine (including software) complies with 
the certification basis by reviewing the SAS and evidence of compliance. The Certification 
authority may also review at its discretion the software life cycle processes and their outputs. 11 

4.3.2 Additional Certification Considerations 

Additional certification considerations include: 

• Use of Previously Developed Software 

• Tool Qualification 

• Alternative Methods 

4.3.2. 1 Use of Previously Developed Software 

Frequently, software will rely upon COTS or other previously developed software. Certification of these 
modifications takes into account the following: 

• Change of software level 

• Impact of modification on requirements, architecture, installation, development environment, 
target processor or other hardware and integration with other software 

DO-178B lists specific methods for ensuring the safety of any modifications. These methods include: 

• Reverse engineering to obtain software life cycle data that is inadequate or missing 

• Comparison of failure conditions to previous application 

• Upgrading development baseline if product history is necessary to satisfy certification objectives 

• Repetition of hardware/software compatibility reviews 

• Additional integration tests and reviews as necessary 

4.3. 2. 2 Tool Qualification 

Qualification of a tool is needed when processes described in DO-178B are automated. The objective is 
to ensure that the tool provides at least the same confidence as the manual process. The concept of tool 
qualification is unique to civilian aviation. Other industries do not typically require tool qualification prior to 
use. 

For qualification purposes, tools are divided into two categories: 

• Development Tools - tools whose output is part of airborne software and can introduce errors 

• Verification Tools - tools that cannot introduce errors, but may fail to catch them 
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4.3.2. 2.1 Qualification of Development Tools 

Software development tools must be qualified to ensure they do not introduce errors into airborne 
software. Qualification criteria include the following: 

• The software development process for the tool must satisfy the same objectives as the 
development process for airborne software 

• The software level must be the same for the development tool and the airborne software. A 
different level may be applied if the tool provides a significant reduction in verification activities 
(like an auto-coder). 

• The tool must be verified against Tool Operational Requirements. This may involve a trial period 
during which tool output is verified. 

The certification authority qualifies a software development tool after considering the following: 

• The tool must meet specific criteria outlined in the Tool Qualification Plan which contains: 

o Configuration identification of the tool 
o Details of the certification credit sought 
o Software level 

o Tool qualification activities to be performed 
o Tool qualification data to be produced 

• The Tool Accomplishment Summary (similar to the Software Accomplishment Summary 
described in a Section 6.4) must be provided illustrating compliance with the Tool Qualification 
Plan. 

4.3.2. 2.2 Qualification of Verification Tools 

Verification tools must be qualified to make sure that the tools catch the errors they were designed to find. 
Qualification criterion includes checking that the tool complies with its Tool Operational Requirements 
under normal operational conditions. 

The certification authority qualifies a verification tool after inspecting the SAS and other materials 
necessary to prove that the tool complies with the PSAC. 

4.3. 2. 3 Alternative Methods 

Alternative methods may be used to support software qualification. DO-178B describes the following 
alternative methods: 

• Formal methods involving the use of formal logic, discrete mathematics and computer-readable 
language to improve the specification and verification of software 

• Exhaustive Input Testing for situations where the inputs and outputs of software can be 
bounded and exhaustively tested 

• Software reliability models including methods for estimating the post-verification probabilities of 
software errors. At the time of publication, DO-178B did not consider these techniques mature 
enough for safety critical software. 

• Product service history demonstrating that the software has a track record of safety 

An alternative method cannot be considered in isolation from the software development processes. The 
applicant must show that the alternative method satisfies the objectives of DO-178B. 
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In order to use an alternative method, the applicant must specify the following in the PSAC: 

• Impact of the proposed method on the software development process and life cycle data 

• Rationale behind the alternative method clearly showing how it meets safety objectives 

4.3.3 Modified Condition and Decision Coverage (MCDC) 

Modified Condition/Decision Coverage is a structural coverage criterion required by DO-178B for Level A 
software. It addresses exercising of Boolean expressions throughout the software, presumably because 
Boolean logic is commonplace in flight-critical software, especially in control laws. Each decision (a top- 
level Boolean expression) must be exercised to check both True and False outcomes. 

MCDC levies further coverage requirements if a decision is composed of multiple conditions (a condition 
is a Boolean subexpression of a decision) connected by Boolean operators, as in (A and (B or C)). The 
additional requirement is to demonstrate that each condition can independently influence the outcome of 
the decision. That is, there exists a set of value for all other conditions in the decision for which toggling 
the value of this one condition will toggle the outcome of the decision. For example, in the decision (A and 
(B or C)), a value of False for B and True for C will demonstrate that A can independently affect the 
outcome of the decision, as the following truth table illustrates: 

ABC (A and (B or C)) 

T F T T 
F F T F 

where T = True and F = False 

Here, changing A from T to F while holding the values of B and C constant changes the value of the 
decision. There may be other combinations of values for B and C which will also demonstrate the 
independence of A, but one combination is all that is needed. Likewise, conditions B and C must be 
demonstrated to independently affect the outcome of the decision. It can be shown that a minimum of (N 
+ 1 ) test cases will be needed to accomplish MCDC for a decision containing N distinct conditions. 

There is one other, somewhat unrelated, requirement included in MCDC: each entry and exit point of a 
subprogram must be exercised. This requirement was most likely included for completeness to ensure 
explicit coverage of these entry and exit points for Level A systems. 

Beyond the simple cases where decisions consist of familiar Boolean operators and all distinct conditions, 
there is controversy surrounding the meaning of MCDC and how to apply it. Investigation is under way at 
NASA Langley to study the variations that exist and to recommend ways of promoting a uniform 
interpretation of MCDC. 12 
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5 CURRENT RESEARCH TOWARD FAA CERTIFICATION 

Current trends and research toward FAA certification of autonomous flight vehicles include, but are not 
limited to, work underway at NASA and DARPA: 


• Access 5 Project at NASA Ames Research Center - Dallas Denery (POC). Access 5 stands for 
“access to controlled airspace in 2005”. The project team is looking into the technology, 
simulation, flight demonstration and policies and procedures issues surrounding autonomous 
flight for HALE UAV’s with special emphasis on “detect, see and avoid” technologies. 


• DARPA SEC (Software Enabled Control) Program - Multi-project initiative to study 

autonomous flight. OGI School of Science & Engineering, Oregon Health & Science University 
was working towards autonomous helicopter flight similar to ARP. Contact: John Bay, Program 
Manage; Principal Investigator: Richard Kieburtz. The following was taken from a slide dated 
November 2002. Plans include autonomous take off and landing by March 2003. 


Instrumented X-Cell 60 helicopter delivered by MIT 

• Clone of MIT’s tested configuration 

• Instrumentation 

o IMU 
o GPS 
o Compass 
o Altimeter 

o Flight computer -- 300 MHz Pentium 
running QNX 4 

o Telemetry transmitter packaged with 
batteries in a dynamic vibration 
isolation unit - approx. 81b. payload 

Simulators 

o Non-real-time simulator on Windows 

o Nonlinear flight dynamics model 
o Real-time HIL simulator on QNX 

o drives servos, models sensors 



• Other Documentation 

“Guidance for Unmanned Aerial Vehicles (UAV) Operations, Design Specification, Maintenance 
and Training of Human Resources”, NATO Committee for European Airspace Coordination 
(CEAC), Document AC/92-D/967 (ORIGINAL: ENGLISH dated 25 November, 1996). 

“Equipment, Systems and Installations in Part 23 Airplanes”, Federal Aviation Administration 
Advisory Circular AC 23.1309-1C, December, 1999. 
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6 APPENDIX A: ACRONYMS 


Term 

Definition 

ARC 

Ames Research Center 

FAA 

Federal Aviation Administration 

EIA 

Electronic Industries Association 

IEC 

International Electro-technical Commission 

IEEE 

Institute of Electrical and Electronic Engineers 

ISO 

International Organization for Standardization 

MIL STD 

Military Standard 

NASA 

National Aeronautical Space Administration 

NPD 

NASA Policy Directive 

NPG 

NASA Procedures and Guidelines 

RTCA 

Requirements and Technical Concepts for Aviation 

V&V 

Verification & Validation 


Note: More Acronyms: http://www.ksc.nasa.gov/facts/acronyms.html 
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7 APPENDIX B: GLOSSARY 

AGL: Above ground level 

Certification: process for demonstrating that system safety is satisfactory for flight operation 

IFR: Instrument Flight Rules means weather conditions below the minimum for flight under visual flight 
rules. Marine layer fog is an example of an IFR weather condition. 

Mission critical: loss of capability leading to possible reduction in mission effectiveness but cannot 
cause a risk to human life 

Modified Condition And Decision Coverage (MCDC): defined as checking that “every point of entry 
and exit in the program has been invoked at least once, every condition is a decision that the program 
has taken all possible outcomes at least once, every decision has been shown to independently affect 
that decision’s outcome. A condition is shown to independently affect a decision’s outcome by varying 
just that condition while holding fixed all other possible conditions . n1 

PSAC: Plan for Software Aspects of Certification 

Safety-critical: failure or design error could cause a risk to human life 

VRF: Visual flight rules means weather conditions do not interfere with visibility. A bright sunny day with 
no clouds is an example VFR weather condition. 

Validation: process of determining that the requirements are correct and complete 

Verification: evaluation of results of a process to ensure correctness and consistency with respect to the 
input and standards provided to that process 
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8 APPENDIX C: SOFTWARE ACCOMPLISHMENT SUMMARY (SAS) 1 

The SAS is the primary document for showing compliance with the Plan for Software Aspects of 
Certification (PSAC). It contains the following: 

• System overview explaining the: 

■ System functions and their allocation to the hardware and software 

■ Architecture 

■ Processor(s) 

■ Hardware and software interfaces 

■ Safety features 

Also describes any differences from the system overview in the PSAC. 

• Software overview including software functions with emphasis on the proposed safety and 
partition concepts like resource sharing, redundancy, multiple-version dissimilar software, fault 
tolerance and timing and scheduling strategies. Also describes any differences from the system 
overview in the PSAC. 

• Certification considerations including a restatement of PSAC certificate considerations and 
description of any differences. 

• Software characteristics including the executable object code size, timing and memory margins, 
resource limitations and the means of measuring each characteristic 

• Software Life Cycle section containing a description of the software with reference to respective 
detailed software plans and a summary explaining how the objectives of each software life cycle 
process will be satisfied, which organization is responsible and the certification liaison 
responsibilities. Also describes any differences from the system overview in the PSAC. 

• Software Life Cycle Data section including a description of any data to be produced and 
controlled by the software along with how the data relate to each other. It should also include 
information about how the data will be submitted to the certification authority (diskette, CD...) and 
the form of the data (i.e. text file, binary file. . .). Also describes any differences from the system 
overview in the PSAC. 

• Additional considerations section that summarizes certification issues that may warrant the 
attention of the certification authority 

• Change history 

• Software status section including a summary of problem reports unresolved at the time of 
certification 

• Compliance statement section stating compliance with this document and summarizing the 
methods used to demonstrate compliance and any additional rulings or deviations for plans, 
standards or this document. 
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9 APPENDIX D: SOFTWARE CONFIGURATION INDEX (SCI) 1 

The SCI identifies the configuration of the software and should identify the following: 

• Software product 

• Executable object code 

• Source code components 

• Previously developed software 

• Software life cycle data 

• Archive and release media 

• Instructions for building the executable object code 

• Reference to the Software Life Cycle Environment Configuration Index - identifies the 
environment where the software will run 

• Data integrity checks, if used 
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